Outline
Program Cryptography: Introduction
Program Cryptography: Background
Start with Python
Learn C Next
Why Learn Python First?
The Best Book to Learn Data Structures & Algorithms
Relevant Data Structures & Algorithms for Cryptography
LeetCode to Build Data Structures & Algorithms
Secure Coding Practices
Side-Channel Attacks
Fault-Injection Attacks
Books to Learn Math for Cryptography
Books to Learn Programming Cryptography
A Simple Request
Program Cryptography: Introduction
Cryptography is not a field for the faint of heart. You will first have to build the programming background. Next you will have to learn the math. If you are new to the math of the field I would start with the following:
Program Cryptography: Background
Start with Python
You should already have programming experience by the time you decide you want to learn how to program cryptosystems. If you are reading this and have no coding experience--I suggest you get started!
I recommend starting with Python. Python is simple to learn and is used in the cryptography field a lot. A great beginner text on Python is No Starch Press's "Python Crash Course, 3rd Edition" by Eric Matthes:
Many experienced Python coders recommend the above text for beginners. It has many fun projects for you to work on. In addition to doing projects you should also build your Data Structures and Algorithms skills. This is your skill in managing information using a modern machine.
As you do the exercises in beginner books such as Python Crash Course I suggest you start building your DS&A skills using a website called CodingBat.
This is a beginner friendly website with puzzles that test your ability in managing information using standard methods such as arrays Lists, strings, and more. This is what I used when I was learning how to program for the first time in Java and it works equally well with Python!
Learn C Next
Once you have done most of the exercises in beginner books such as "Python Crash Course" and CodingBat I next suggest learning the C programming language. It is essential for cryptographic engineers to understand how the machine manages memory! The most dangerous security exploits mess with how machines manage them and I will talk about this more in the future section "Secure Programming Practices".
For now just know that the most influential cryptographic programming libraries continue to be written in C to this day and there is little sign that this is changing in the near future. With C it is easy to make code portable, fast, and memory efficient. Those are common business demands! For example, if you are reading this your computer is using OpenSSL--a library that implements a famous protocol for Transport Layer Security on servers. That is the protocol that prevents someone from spying on what you send to any website you are talking to and vice-versa.
When you are learning C for the first time I strongly recommend picking up Kenneth A Reek's "Pointers on C".
It is the only book that thoroughly explains pointers. Its code samples heavily use pointers--and much more than necessary. This was done to help the coder master the difficult practice of using pointers in code. I even recommend reading this before you read the next book which is very famous:
The K&R Book:
This is the book written by the original development team behind the language. It contains timeless information on the grammar of the language and simple code samples that reveal how C is used to program operating systems. That is what C was designed for.
Since all modern operating systems rely on C source code to function C still is the lingua franca in the programming community. And since operating system code is written in C--many nasty security attacks including those affecting cryptography deal with that.
A third reason to learn C: it has the best documentation on secure coding practices to avoid many--though not all--of the attacks that can affect the safety of code bases. C may suffer from infamous security exploits and people say that you should not use it for that reason--but people have written documentation on how to write your programs in C to avoid those security exploits--moreso than any other language I have seen including Python. For this reason alone C is easily a must learn for the cryptographic engineer.
I will give more information on how you can write C programs to avoid those exploits in a future section.
Why Learn Python First?
If the bulk of modern cryptographic code is written in C why bother studying Python first? There are couple of reasons for that:
It is a programming language easy to get started with. Asking newbies to program in C would demand too much at once.
Python seems destined to be the lingua franca of quantum computing. Few commercial quantum computers are available for us to try out at this time. One of them, IBM Qiskit, offers a Python SDK.
The Best Book to Learn Data Structures & Algorithms
I recommend reading Steven S. Skiena's "The Algorithm Design Manual, Third Edition". This book gives excellent conceptual explanations of the concept followed by sample C source code. I recommend you manually type the sample source code in the chapters you read, compile the programs, and test the programs with sample input yourself. Oh, and please do the relevant exercises. You cannot learn much without doing so. :)
Relevant Data Structures & Algorithms for Cryptography
Since you are interested in programming cryptography which Data Structures and Algorithms should you focus on? From Skiena's book I recommend the following sections:
List of Sections from The Algorithm Design Manual
Read Chapter 1 and Do Some Exercises
Chapter 1 introduces the mindset and approach you should take when applying DS&A. A must read.
Read Chapter 2 and Do Exercises
This chapter reviews Algorithm Analysis: a technique to compare how efficient your program is compared to others.
Read Chapter 3 on Data Structures and Do Exercises
All the data structures mentioned (Arrays, Linked Lists, Trees, and Hashing) you will later see throughout your career in cryptography.
Read Chapter 5 on Divide and Conquer
This chapter teaches you techniques to help your program run faster. Cryptography demands your machine's system resources. So this chapter is critical.
Pay special attention to the sections on Fast Multiplication and Fast Polynomial Multiplication. You will need Fast Multiplication to program public-key cryptography. Fast Multiplication is a technique to multiply huge numbers in a short period of time. You will need a special case of Polynomial Multiplication known as Finite Field Arithmetic to program stream ciphers and even to program a famous encryption method called Advanced Encryption Standard (AES).
Read Chapter 6 on Hashing and Randomized Algorithms
Hashing is a major concept in cryptography. It is used to protect our passwords from being guessed and to check if documents were received correctly across the Internet. So its a must-read.
Read Chapter 12, Section 10 (12.10) on Quantum Computing
The NIST recently approved of Four Quantum-Safe Cryptosystems. Some companies are preparing to be ready against attacks that can be made by a quantum computer by 2030 CE. It is best if you get started with Quantum Cryptography now!
Skiena only glosses over standard quantum algorithms such as Shor's Algorithm and Grover's Algorithm. Shor's Algorithm threatens the security of classical public-key cryptosystems (e.g. RSA). Grover's Algorithm threatens the safety of symmetric-key based classical cryptosystems (e.g. AES).
LeetCode to Build Data Structures & Algorithms
Simply doing even all of the book exercises in Skiena's great book is not good enough! You have to practice doing the DS&A problems the industry expects you to perform!
And HackerRank and LeetCode is an excellent website to practice your skills. There are several problems in LeetCode that I strongly recommend you solve before even worrying about programming cryptography.
LeetCode is the de-facto website software engineers visit to practice their skills in writing useful programs. Without data structures and algorithms it would be difficult if not impossible to write programs that can benefit people. They are the means we extract useful information from the data we have. Applicants to software engineering roles test their coding skills on LeetCode to prepare for job interviews. If you can write coding solutions that
On LeetCode you will see several sample programming puzzles that you are challenged to solve by writing code. LeetCode is a large site and there are over a thousand problems you can choose from.
These websites present you a challenge to write a program that solves a challenge. The website will run your program against test cases to check that your program works properly.
This is an efficient way to tell if you mastered the concept Skiena discusses in his book.
Secure Coding Practices
Once you nailed the Data Structures & Algorithms from Skiena's book and programming challenges you are ready to start learning about Secure Coding Practices. These are techniques to write your program in such a way as to avoid common security exploits.
Some of the most frequent security exploits that affect cryptosystems include Buffer Overflows, Integer Overflows, Dynamic Memory Exploits, and more. A lot of these are caused by malpractice--bad programming habits. And attackers do target cryptography code with these of course.
As a cryptographic engineer it is our responsibility to ensure our codebases are resistant to such attacks. I would say Robert C Seacord's "Secure Coding in C/C++ is a must read.
CERT, the organization that Seacord leads, also published an up-to-date online guide as well.
Recently, O'Reilly a published a more up-to-date book on the same topic: Secure Programming Cookbook.
Side-Channel Attacks
It is not good enough to be good at standard secure coding practices. There are attacks designed to work against programs of cryptosystems themselves. One important classes of such attacks are side channel attacks.
Side channel attacks try to steal the secret key by observing patterns in the machine's behavior while executing a program for a cryptosystem. Side channel attacks have been used to steal the secret key from RSA, AES, and Elliptic Curves in important applications of cryptography such as Transport Layer Security.
Not all side-channel attacks are equally dangerous. The most common threat are time-based and cache-based side channel attacks. The easiest way to avoid them is to use a cipher that is designed to be resistant to them in the first place!
Programs of cryptosystems that are designed to be resistant to these common side-channel attacks will not rely on the brand of hardware of the machine and are easier to program than the cryptosystems that rely on hardware in the second place. They are also more portable since they are not tied to a specific brand of hardware.
A symmetric cipher that is designed to be resistant to time-based and cache-based side channel attacks is XChaCha20.
The NIST approved of several post-quantum safe public-key cryptosystems that are not just resistant to the most common side channel attacks but also quantum-computing attacks.
The most important reason for that is that it will take long periods of time to get organizations to adapt to the new cryptosystems. People have to spend time understanding the math, learning how to program quantum machines for cryptanalysis, learning how to program the cryptosystems themselves in classical computers, and integrating production-quality cryptosystems into their own production environments! That's a lot to take in.
I recommended the new NIST-post quantum safe cryptosystems since quantum computers were destined to break classical public-key cryptosystems anyway.
Fault Injection Attacks
Fault Injection Attacks take place when the attacker forces the computer hardware to malfunction--causing secrets to be leaked. RISCURE, the organization whose leaders published the book aforementioned, also wrote a nice guide on how to write programs resistant to them.
Books to Learn Math for Cryptography
Cryptography without math is like Physics without math--you are not going to be able to make anything useful without it!
Now that you have the programming experience necessary to program the math--its time to learn the math!
An excellent first text on the math for cryptography is Christoph Parr's and Pelzl's "Understanding Cryptography":
This was the first text I read and whose problems I did back when I was learning it for the first time. One of the authors, Christoph Paar, also made a great series of lectures now on Youtube.
The authors recommended The Handbook of Applied Cryptography as an excellent supplement. This book is an excellent review of the math required in classical cryptography and occasionally gives pseudocode on how to program it on a machine:
A second book the authors recommended as a supplement is "The Encyclopedia of Cryptography" edited by Henk van Tillborg:
A great book on the math required for classical public-key cryptosystems is "An Introduction to Mathematical Cryptography" by Jeffrey Hoffstein et al. Hoffstein helped co-invent the FALCON quantum-safe public-key cryptosystem--so he is an expert in the field:
If your budget can afford the next two books I would instantly purchase a comprehensive book that reviews the math, the design, the diagrams, and the pseudocode for classical cryptography. This book's name is long: "Cryptography: Algorithms, Protocols, and Standards" by Zoubir M. Mammeri. It comes complete with exercises and solutions for every chapter. It has an outstanding summary of classical cryptography but it is so expensive:
A final book I would strongly recommend is the "Handbook of Elliptic and Hyperelliptic Curve Cryptography". This is an outstanding reference on the math behind elliptic curve cryptography. The book's explanations are so clear you can easily translate the math into working software:
Books to Learn Programming Cryptography
If you are interested in learning how to program cryptography I am sorry to say there are a few books in the market that aim to help with that. Here are the few that are worth checking out:
Joshua Davies's book "Implementing SSL/TLS":
This book gives sample code of cryptosystems used in Transport Layer Security. This is the program that encrypts all website traffic on websites--including the one you are reading from right now. Without TLS, e-commerce on the Internet would never be safe as we know it.
Some of the cryptosystems mentioned in the above book include RC4, AES, RSA, Diffie-Hellman, and more. The code in the book should never be used in production. The code was only designed to technically correct according to specs--not be secure enough for production.
Bruce Schneier's book "Applied Cryptography":
Bruce Schneier is a respected cryptographer. He helped invent Twofish, Blowfish, Fortuna, and others. The C source code in the book is great to get started with writing cryptography. Unfortunately the book is now very out of date. Unfortunately, it was the last published of its kind!
"Modern Computer Arithmetic" by Richard Brent & Paul Zimmermann:
Fellow Redditors have recommended this book for all the arithmetic necessary in cryptography--such as when coding multi-precision arithmetic. This book makes it easier to translate the theory behind such math concepts into working programs:
"Hacker's Delight: Second Edition by Henry S. Warren, Jr.":
All of the books besides Schneier's introduce the math background to help you understand cryptosystems. The above books gives formulas to solve arithmetic problems using bitwise manipulation techniques. Not only will this help your cryptographic programs run faster--you will find the formulas in the book are crucial to developing code resistant to side channel attacks including timing attacks, power analysis, and fault injection attacks. For this reason alone you should have a physical copy next to you at all times. It is a distilled, easier to read version of many of the program discussed in Donald Ervin Knuth's "The Art of Computer Programming".
"The Art of Computer Programming" by Donald Ervin Knuth:
Everyone reading this that has a programming background probably heard of this book. It's that book we all heard of and either bought, stuffed in our bookshelves, and allowed to gain dust. It is as massive as it is an indispensable review of computer science theory and practice. For cryptographic engineers it has been seen used as a reference on important math concepts. For cryptographic engineers it has been seen used as a reference on important math concepts. For example, the creators of dudect, a C program to verify if a C program is constant-time, have cited the book when coding the tool.
When you purchase the books you will at first feel guilty for blasting $300 USD for getting them. Later, you will realize it contains insights you would be hard-pressed to find elsewhere.
For some reason, security engineers do not publish books on programming cryptography for production environments. And yet--it is undeniable we count on said technology every day!
A Simple Request
Are you interested in programming cryptography? Are you struggling with translating concepts in theory to working code. Are you struggling with figuring out how to make your code correct, secure, and easy for others to refactor? I got so tired of trying to find books on the matter that I decided to start writing my own.
If you are serious about programming cryptography to earn a living as I am please consider checking out a preview of my book at:
At the time of this writing I admit I have only written the Preface + Table of Contents. This is to help me know if readers like you will be interested in such content. On the webpage of the book preview you are more than welcome to leave any comments and suggestions.
Thanks for reading this blog!
Image Credits
Blog Frontal Image Credits attributed to:
Comments